Studying Donot Team

APT group called Donot Team (aka APT-C-35, SectorE02) has been active since at least 2012. The attackers hunt for confidential information and intellectual property. The hackers’ targets include countries in South Asia, in particular, state sector of Pakistan. In 2019, we noticed their activity in Bangladesh, Thailand, India, Sri Lanka, the Philippines, and outside of Asia, in places like Argentina, the United Arab Emirates, and … Continue reading Studying Donot Team

Positive Technologies Brings ‘Hackable City’ to Life in The Standoff Cyberbattle at HITB+ CyberWeek

Attackers and defenders to face off in digital metropolis security challenge featuring real-world critical infrastructure and technologies. Cybersecurity experts at Positive Technologies and Hack In The Box are inviting red and blue team security specialists to test their skills attacking and defending a full-scale modern city at The Standoff Cyberbattle held during HITB+ CyberWeek. This mock digital metropolis with full IT and OT infrastructure including … Continue reading Positive Technologies Brings ‘Hackable City’ to Life in The Standoff Cyberbattle at HITB+ CyberWeek

Sustes malware updated to spread via vulnerability in Exim (CVE-2019-10149)

A new wave of attacks by the Sustes cryptominer is infecting computers via a June vulnerability in the Exim mail server. Starting on August 11, our PT Network Attack Discovery network sensors have detected attempts to exploit mail servers in incoming network traffic. Scanning is performed from address 154.16.67[.]133. The command in the RCPT TO field triggers download of a malicious bash script at address … Continue reading Sustes malware updated to spread via vulnerability in Exim (CVE-2019-10149)

Case study: Searching for a vulnerability pattern in the Linux kernel

This short article describes the investigation of one funny Linux kernel vulnerability and my experience with Semmle QL and Coccinelle, which I used to search for similar bugs. The kernel bug Several days ago my custom syzkaller instance got an interesting crash. It had a stable reproducer and I started the investigation. Here I will take the opportunity to say that syzkaller is an awesome … Continue reading Case study: Searching for a vulnerability pattern in the Linux kernel

Finding Neutrino

In August 2018, PT Network Attack Discovery and our honeypots began to record mass scans of phpMyAdmin systems. Scans were accompanied by bruteforcing of 159 various web shells with the command die(md5(Ch3ck1ng)). This information became the starting point of our investigation. Step by step, we have uncovered the whole chain of events and ultimately discovered a large malware campaign ongoing since 2013. Here we will … Continue reading Finding Neutrino

IronPython, darkly: how we uncovered an attack on government entities in Europe

Hunting for new and dangerous cyberthreats is the job of the Positive Technologies Expert Security Center (PT ESC). In early April 2019, PT ESC analysts detected a targeted attack on the Croatian government. In this article, we will outline what makes this threat so interesting: delivery chain, indicators of compromise, and use of a new post-exploitation framework that to our knowledge has not previously been … Continue reading IronPython, darkly: how we uncovered an attack on government entities in Europe

IDS Bypass contest at PHDays: writeup and solutions

Positive Hack Days 2019 included our first-ever IDS Bypass competition. Participants had to study a network segment of five hosts, and then either exploit a service vulnerability or meet a particular criterion (for example, send a certain HTTP response) in order to get a flag. Finding an exploit was easy, but the IDS complicated things as it stood between the participants and the hosts, checking … Continue reading IDS Bypass contest at PHDays: writeup and solutions

Four ways to phish: how to avoid falling for scammers’ bait

Phishing is one of the main cybersecurity threats targeting Internet users. Today we will describe how these attacks work and how not to become a victim. Emails from trusted companies Attackers often target customers of a particular company. They impersonate that company and reach out to its customers, asking them to click a link to a fake website, where they are tricked into entering their … Continue reading Four ways to phish: how to avoid falling for scammers’ bait

How analyzing one critical DHCP vulnerability in Windows 10 led to discovery of two more

Image credit: Unsplash  As described in our earlier article about CVE-2019-0726, sometimes a search for details of a known vulnerability leads to discovery of a new one. Sometimes even more than one. The article touched upon two functions of the library dhcpcore.dll: UpdateDomainSearchOption, mentioned in passing, and DecodeDomainSearchListData which is called by the first function and was described in more detail. As always happens when … Continue reading How analyzing one critical DHCP vulnerability in Windows 10 led to discovery of two more

DHCP security in Windows 10: analyzing critical vulnerability CVE-2019-0726

Image credit: Pexels When January updates for Windows got released, the public was alarmed by news of critical vulnerability CVE-2019-0547 in DHCP clients. A high CVSS score and the fact that Microsoft did not release an Exploitability Index assessment right away, which made it more difficult for users to decide whether they needed to update their systems immediately, stirred up the heat. Some publications even … Continue reading DHCP security in Windows 10: analyzing critical vulnerability CVE-2019-0726